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Abstract 


Advanced aircraft will require flight-critical computer systems for stability augmentation as 
well as guidance and control that must perform reliably in adverse, as well as nominal, operating 
environments. Digital system upset is a functional error mode that can occur in electromagnetically 
harsh environments, involves no component damage, can occur simultaneously in all channels of a 
redundant control computer, and is software dependent. This paper presents a strategy for 
dynamic upset detection to be used in the evaluation of critical digital controllers during the design 
and/or validation phases of development. The motivation for this work is the development of tools 
and techniques that can be used in the laboratory to validate and/or certify critical controllers 
operating in adverse environments that result from disturbances caused by an electromagnetic 
source such as lightning, high-intensity radiated fields (HIRF), and nuclear electromagnetic pulses 
(NEMP). The upset detection strategy presented in the paper provides dynamic monitoring of a 
given control computer for degraded functional integrity that can result from redundancy 
management errors and control command calculation errors that could occur in an 
electromagnetically harsh operating environment. In addition, analytical redundancy of the control 
laws provides a reference of the correct control command for the given dynamic mode of the plant. 
This reference command is used to determine the effectiveness of the control in the given dynamic 
situation. The paper discusses the use of Kalman filtering, data fusion, and decision theory in 
monitoring a given digital controller for control calculation errors, redundancy management errors, 
and control effectiveness. 


Introduction 

Advanced aircraft will require systems for stability augmentation as well as guidance and 
control that will be critical to the flight of the aircraft. The trend in avionics technology is the 
implementation of control laws on digital computers that are interfaced to the sensors and control 
surface actuators of the aircraft. Since these control systems will be flight-critical, the problem of 
verifying the integrity of the control computer in adverse, as well as nominal, operating 
environments becomes a key issue in the development and certification of a critical control system. 

An operating environment of particular concern results from the presence of 
electromagnetic fields caused by sources such as lightning, high-intensity radiated fields (HIRF), 
and nuclear electromagnetic pulses (NEMP). Electromagnetic fields may cause analog electrical 
transients to be induced on the aircraft s wiring, and these signals can propagate to the onboard 
electronic equipment despite shielding and protective devices such as filters and surge suppressors. 
There are two types of effects to digital computer systems that can be caused by transient electrical 
signals. The first is component damage that requires repair or replacement of the equipment. The 
second type of damage to a digital system is characterized by functional error modes, collectively 
known as ’ upset", which involve no component damage. Functional error modes of a critical 
controller which can be termed as upset in the system are characterized by: (i) faulty I/O 
processing and command calculations that result in off-nominal system behavior or degraded 
system performance; and (ii) faulty redundancy management decisions that result in degraded 
system perfonnance and/or reliability. In the case of upset, nonnal operation can be restored to the 
system by corrective action such as resetting/reloading the software or by an internal recovery 
mechanism, such as an automatic rollback to a system state prior to the disturbance. The subject of 
effective and reliable internal upset recovery mechanisms is another current topic for research. 



The usual features of fault tolerant systems such as redundant input and output checking and 
selection, surge suppression devices and 1 liters, and a redundant microprocessor architecture with 
voting may not be sufficient to ensure correct operation in an electromagnetically adverse operating 
environment. Surge suppression devices and filters are effective for large amplitude, high 
frequency transients. However, low amplitude signals at frequencies near the clock speeds of 
digital circuitry can be generated by electromagnetic fields and propagate to electronic equipment 
onboard an aircraft. In addition, redundancy protects against single-mode failures that occur in one 
channel of the system, but does not protect against the potential common-mode failure (i.e. upset) 
of all channels in the redundant system as a result of transient signals induced by a single 

electromagnetic disturbance , 

To date, there are no comprehensive guidelines or criteria for detecting upset in fault 
tolerant digital control computers, designing reliable internal upset recovery mechanisms, or 
performing tests or analyses on digital controllers to verify control integrity or evaluate upset 
susceptibility /reliability in electromagnetically adverse operating environments. In order to assess a 
digital control computer for upset susceptibility, the issue of upset detection must be addressed. 
Real-time considerations for upset detection would reduce post data processing requirements 
during validation/certification testing. Therefore, the objective of this research is to develop a 
detection methodology for real-time laboratory implementation whereby a given digital computer- 
based control system can be evaluated for upset susceptibility when subjected to analog transient 
electrical signals like those that would be induced by an electromagnetic source such as lightning, 
HIRF, or NEMP. In the event of the occurrence of upset during testing, the detection 
methodology will also provide a framework for diagnosis of the upset in the given digital 
controller. An illustration of the basic laboratory set-up is shown in Figure 1. The fault tolerant 
controller to be evaluated for upset susceptibility is interfaced in the laboratory to a simulation of 
the plant, actuators, and redundant sensors so that closed-loop dynamics are represented during 
testing. The controller with o redundant processors (or microprocessors, designated as ( 1 P 1 - 
pP(j) is subjected to disturbances like those that could occur in an electromagnetic environment. In 
the case of lightning, transient signals that would be induced on internal wiring are generated. In 
the case of HIRF, electromagnetic fields that could occur from radars or high-power radio 
transmitters are generated. The control system is dynamically monitored for upset in real-time 
during testing. The objective of the paper is to present an upset detection strategy for monitoring a 
given fault tolerant controller for degraded control integrity resulting from redundancy management 
errors, control command calculation errors, and control effectiveness errors that could occur in an 
electromagnetically harsh operating environment. Kalman filtering, statistical decision theory, and 
data fusion are used in the detection of redundancy management errors and control command 
calculation errors. Analytical redundancy of the control laws provides a reference of the correct 
control command for a given dynamic mode of the plant. This reference command is used in the 
control effectiveness decision. 

Problem Formulation 

Consider the block diagram shown in Figure 2 of a given control system consisting of the 
plant, redundant sensors, actuators, and fault tolerant control computer. Input/output conversions 
and signal conditioning between the plant and controller are represented by the indicated blocks. 
Input processing functions including analog-to-digital (A/D) conversion, frequency-to-digital 
conversion, surge suppressors for protection against high-level transient signals, and filters to 
reduce high-frequency noise have been represented by the A/D and Signal Conditioning blopjt. 
Output processing functions such as signal conditioning and digital -to-analog (D/A) conversion are 
represented by the D/A and Signal Conditioning block. The given fault tolerant controller 'is 
modeled to consist of three basic blocks. The input selection and redundancy m anagem|mMgpk 
perfonns rate and/or range checks of the data values and generates the input data vector for each of 
the microprocessors. The redundant microprocessors calculate the control commands based on e 
input vector for each processor. Redundancy in the control computer protects against single -mode 
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failure of components during normal operation. The output selection and redundancy management 
block perfomis rate and/or r;uige checks on the calculated commands from each processor and 
determines via voting, or some other scheme, the command to be output from the controller for 
each control loop. The following linear model is proposed for the given control system of Figure 
2. The elements of the model are defined by the given system and would Ire determined prior to 
assessment. For simplicity of notation, it will be assumed that each processor has it s own sensor 
set. Thus, it is assumed that there will tie the same number of sensors for each measurement as 
there are processors. 

Plant ; Xp(t) = AXp(t) + Bu(t) + <J>w p (t) ; x p (t)eR p (1) 

Sensors : s|,(t) = C'xp(t) + ^ w' s (t) i=l,2, ... , o , Sp(t)€R (2) 

where: sj,(0 = Isj^t) sj„(t) • ■ • s^tOI' ; sj >r (t) e R 

Input Selection and Redundancy Management : 

y‘ in (k) = [y jn ,(k) y^tfc) y!,,„(k)r ; y.nOOeR" 1 

y,' n ,(k) = Ej<k)Sp t (k) + yjwj nf (k) i = 1 , 2, ... , o ; y^fk). S pf (k) 6 R° (3) 
where: V k) = l s pf (k) 4 < {k) ' ' ' s p/ k >l ' ; f = 1, 2, ... , m 

Redundant Controllers : 

x‘(k+l ) = F[x>.(k) + Gi-y| n (k) + g.-wf.(k) ; i = 1, 2, ... p ; xb(k) € R n (4) 
where: 400 = [4,00 x- 2 (k) ■ ■ ■ x>„( k)] ' ; x>/k) € R 

Outp u t Processing and Redundancy Management : 

y 0 ut(k) = [y 0 ui,(k) y ou i 2 (k) • yout n OO] ' ; yout(k)€R n 

youi/k) = L,(k)x Cj (k) + TljWmji^k) j — 1, 2, ... , n , youij(k) £ R (5) 

where: x c /k) = [xj/k) x^k) ■■■ x"(k)) ' ; x tj (k) e R° 

Actuators : u(t) = Ny oul (t) + pw u (t) ; u(t) e R n (6) 

where: y«ui(0 = lyouiiO) youtj(f) ■■■ yout n (0] * yom(t) € R 

Equations (1 ) - (6) represent a hybrid model of continuous-time and discrete-time components. 
Equation (1 ) is the continuous-time state equation for the plant. Matrix A is the plant state 
transition matrix, u(t) is the control input, and wp(t) reflects noise and/or modeling errors. 

Equation (2) is the continuous-time sensor model for the ith redundant sensor with w s(0 
representing the sensor noise. Equation (3) is the discrete -tune model for the selection and 

management of redundant sensor inputs S pf (k) for the fth measurement with the noise term w in f 00 

representing modeling error. Matrix Ej{k) is shown to be time -varying to represent selection, 
rejection, voting, or fusion of redundant sensor measurements during operation of the system. If 
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llic given system li.'is an input data selection process without data fusion, the elements of Ef(k) will 
lx- zero or one and may he based on heuristics, such as the result of range and/or rate checks on the 

sensor measurements. In systems that luse sensor measurements into a single value, matrix Ef{k) 
would represent the input data fusion process. Equation (4) is the discrete-time state equation for 

the command vector calculation for the ith processor, and matrix F( is the transition matrix. Matrix 

Gj is the measurement matrix for measurement vector y’ n (k ) of the ith processor. Term w£(k) 
reflects noise and/or modeling errors associated with the command vector calculation from the ith 
processor. Equation (5) is the discrete-time model for the selection and management of the 

redundant command calculations w ith modeling error accounted for in the noise term w out/k) 
Matrix Lj(k) is time -varying to represent selection or fusion of command calculations for the 

command vector Youi/k) of t ho jth control loop during operation of the system. If the given system 
has a voting strategy for output command calculations, the elements of Lj(k) will be zero or one 
and may be based on heuristics associated with the voting strategy. In systems that combine 
calculations into one output, Lj(k) would represent the command calculation fusion process. 
Equation (6) is the continuous-time actuator model. The actuators receive the command vector 
yout(t) and affect the dynamics of the plant via u(t). The tenn Wy(t) reflects noise and/or modeling 
errors. 

The research problem is to develop a monitoring scheme for real-time laboratory 
implementation to be used in the validation/certification of a given fault tolerant controller, modeled 
as shown in Figure 2, during operation in an electromagnetic environment that could result from 
lightning or HIRF. An upset test methodology for control computers was discussed in [ 1 j. 
However, this methodology relies on post -processing of data collected during every test. Since the 
detection strategy presented in this paper is for eventual real-time implementation, it will eliminate 
the need to store data during tests in which upset does not occur. In addition, the strategy provides 
tin indication of where errors occurred for diagnostic purposes so that any desired post-processing 
of the data is simplified. 


Fault Tolerant Control Monitoring Strategy 

In order to detect redundancy management errors, control command calculation errors, and 
control effectiveness errors in the fault tolerant controller, measurements of the control system of 
Figure 2 must be taken by the monitor. These measurements are indicated in Figure 3, and their 


equations are given as: 

Measurement of the Plant State : z p (k) = Tx p (k) + Vp(k) ; z p (k) e R p (7) 

Measurement of Sensor Outputs : z s(k ) = D s p (k) + v' s (k) , i — 1, 2, ... p , z s (k) e R (8) 

Measurement of Input Vectors : z' |n (k) = J’y'inOO + v^fk) ; z', n (k) £ R (9) 

Measurement of Calculated Commands : Zc(k) = Hj.xj.(k) + v[.(k) ; z{.(k) e R (10) 

Measurement of Output Command Vector : z OU |(k) = My ou t(t) + v out (k) ; z ou t(k) € R (11) 

Measurement of the Actuator: z u(k) = PuOO + v u(k) ; AjdO € R (12) 
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In equations (7) - ( 1 2), T, Db J', H|., M, and P are the measurement matrices. The terms v p (k), 

v's(k), vj n (k), v‘(k), v OU |(k), and v u (k) represent measurement noise. All noise processes in 
equations ( 1 ) - ( 1 2) are assumed to he independent, white, and Gaussian. 

The fault tolerant control computer is monitored for errors in redundancy management and 
control command calculations, as well as control effectiveness for the given dynamic mode of the 
plant. In the context of this mathematical formulation, upset is defined as a change in any o e 


matrices E',(k) of equation (3), F* and G’ of equation (4), and Lj(k) of equation (5) that causes a 
reduction in effectiveness and/or reliability of the control system. A concept for upset detection m 
critical digital control computers is presented in Figure 4. Redundancy management processes in 
the control computer to be monitored are the input parameter selection process, the output 
command selection process, and the management of redundant resources. An example of an error 
in the management of redundant resources is the computer deciding that one of the redundant 
sensors is bad and ignoring its measurements when, in fact, it is operating correctly. Since 
eliminating a good sensor reduces the redundancy and overall reliability of the system, this 
redundancy management error would constitute an upset. The redundancy management monitor 

effectively detects incorrect changes in the matrices E}(k) and Lj(k) of equations (3 ) and (5), 
respectively. Elements of these matrices are compared to the input/output selection codes of the 
controller to detennine if the controller has eliminated resources that are not faulty. Inputs to the 
input selection error detection portion of this monitor are measurements of the sensor outputs, 

z' s (k), and measurements of the selected input vector for each channel, z' in (k). If an error is not 

detected in the input selection process, the decision variable d' in (k) will maintain its nominal value 


of - 1 . If an error is detected in the input selection process, the value of d in (k) becomes unity . 
Inputs to the output selection error detection part of this monitor are measurements of the selected 

output commands, Zorn/k). if an error is not detected in the output selection process, the decision 

variable d 0 ut/k) w in maintain its nominal value of -1 . If an error is detected in the output selection 


process the value of dout/k) becomes unity. Individual decisions d' in (k) and d out/k) are combined 
or fused into one redundancy management error decision, d,<k). The calculation of commands for 
each control loop j is also monitored for errors. This monitoring is done dynamically as the 


commands are calculated. Changes in the matrices F‘ and G c of equation (4) are detected by 
monitoring for changes in the dynamics of the control command calculation state equation. Inputs 
to the control calculation error detector are measurements of the selected mput vector for each 


channel, z^fk), and the control command calculation vector of each channel, Zc(k). Individual 


decisions <(k) are made for the command calculations made by each processor for each control 
loop and these decisions are combined or fused into one error decision, d c (k), for the calculation of 
control commands. Analytical redundancy of the control laws provides a reference of the correct 
control command for the given dynamic mode of the plant. Inputs to the analytical model of the 
control laws are measurements of the plant state, z p (k). This reference is used in a decision 
process to determine if the calculated command output vector, yout(k), is effective in relating th 
plant under a given dynamic situation. Considerations such as range and rate limuatio 
actuators will be inherent in the evaluation of control effectiveness. If a control effectiveness error 

is noi detected, the decision variable de/k) will maintain its nominal value of -1. If an error in 
control effectiveness is detected, the value of <Mk) becomes unity. Individual control effectiveness 

error decisions dc/k) are made for each control loop and these decisions are combined or hosed 
into one error decision, de(k), for the effectiveness of the control command outpul [vector. The 
decisions corresponding to redundancy management errors, control command calculation > 
well as control command effectiveness errors are fused into one global upset decision, d(k), which 
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has a nominal value of - I and a value of unity for the upset decision. This global fusion process 
may lx* a logical OR rule, or may provide weightings corresponding to the relative costs of the 
three error processes In tests during which upset occurs and is signaled by the unity' value of 

d(k), the redundancy management error decisions d| n (k) and dout/k) the control calculation error 

decisions d!-,(k\ and the control effectiveness error decisions d Cj (k) are all stored in the monitor as a 
diagnostic aid for post-testing data analysis. A basic strategy for monitoring the control computer 
for erroneous command calculations, redundancy management errors, and control command 
effectiveness is now presented. 

Control Command Ca/culanon Error Monitor , The basic approach for monitoring errors in a 

control command calculation is shown in Figure 5. The control law is represented as a linear or 

linearized recursive state equation with state *v/k) f or [| ie command calculation of control loop j 
from microprocessor i. A Kalman Filter is used to generate the estimate vector composed of an 

, 

estimate of the correct state for each of the j control command calculations based on 
measurements of the selected input vector z‘ n (k) and the previous calculated command state vector 

zj(k-l ). The estimate *c/k) is compared to the current measurement Zc/k) 0 f the jth command 

calculated by the ith microprocessor, and a residual r Cj(k) j s generated, based on the difference. A 

statistical decision rule is then applied to the residual and a decision dc/k) is made regarding the 
correctness of the command j calculation of processor i given the selected input vector. The 

decisions for command calculations j = 1 , 2, ... , n are then fused into a single decision, d^fk), for 
the correctness of the command calculations from processor i. Similar methods were used in the 
detection of sensor failures in turbofan engines [2] and in the detection of failures in aircraft 
actuators and control surfaces [3]. In [2], analytical redundancy, Kalman filtering, and decision 
theory were used to detect sensor failures in an F100 turbofan engine. Instantaneous, or "hard", 
errors were detected by comparing measured sensor values with those of an analytical model, 
taking the absolute value, and comparing this residual to a threshold. Small bias errors and drift in 
sensor measurements, or "soft" errors, were detected using multiple -hypothesis testing methods in 
which each hypothesis corresponded to a particular sensor failure. Once a "hard" or "soft" sensor 
failure was detected, the elements of an interface switch matrix were changed so that a Kalman 
Filter estimate of the sensor value replaced the measurement in the input vector used in the control 
laws. The methodology of [2] was demonstrated on a hybrid real-time simulation of the F100 
engine as well as on a full-scale FI 00 engine with good results. However, this methodology was 
not designed to detect failures in physically redundant systems and, therefore, does not use data 
fusion methods. In [3], analytical redundancy and decision theory was used to detect actuator 
failures and control surface failures in aircraft. The design methodology consisted of two failure 
detection and identification (FDI) algorithms or subsystems - one for actuator failures and one for 
control surface failures. In the actuator FDI subsystem, an analytical model was implemented to 
generate a prediction of the dynamic behavior of the actuators. This prediction was compared to 
measurements taken from the actuators, and a residual was generated and used in a decision 
process that consisted of trigger, verify, and isolate tests. The control surface FDI subsystem was 
designed in a similar fashion. The methodology of [3] was demonstrated using a six degree-of- 
freedom nonlinear simulation of a modified Boeing 737 airplane with good results. This 
methodology was not designed to detect failures in physically redundant systems and did not use 
data fusion techniques. 

The basic approach shown in Figure 5 is extended for the dynamic monitoring of control 
calculations in redundant systems and is illustrated in Figure 6. The global decision dc(k) on 
whether or not control command calculation errors have occurred is based on the fusion of the 
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command calculation error decisions dj.(k) for the o processors. The command calculation error 

decision dj(k) for each processor is generated by the process described as the basic approach 
shown in Figure 5. Previous work |4| compared two distributed detection strategies, each using a 
different type of data fusion. One strategy involved the fusion of estimates, and the other strategy 
involved the fusion of local decisions. The ROC curve of the strategy with decision fusion was 
shown to be more desirable for two cases. 

Re dundancx Maiun>cmcnt Error Monitor. . Since the detection strategy of Figure 4 is for 
detecting errors in the controller and is to be implemented in the laboratory setting, depicted in 
Figure 2 which involves the simulation of redundant sensors, it will be assumed that sensor 
failures do not occur. The strategy for detecting input redundancy management errors is illustrated 
in Figure 7. Redundant parameter measurements from a sensors are used by the monitor m the 
same input selection algorithm as that of each channel in the controller and a prediction of the 
selected parameter inputs are made. Note that this algorithm corresponds to E,'(k) of equation (3). 

As shown in Figure 7, measurements of redundant sensor 1 inputs z s,( k ), z s,( k ), ... , . 

used in the monitor’s input 1 selection rule which is identical to that of microprocessor 1 to obtain 

the reference selected value of input 1 , yin,( k X This reference value is compared with a 

measurement of the input I value actually selected by microprocessor 1, z in,< k >, and a residual is 

generated. This residual, rj n ,(k), is used in a statistical decision rule to determine if a correct or 

faulty selection of input 1 was made by microprocessor 1. This decision is designated as d in ,(k). 
The input selection error decision process is performed for each redundant input parameter and for 
each microprocessor in the controller. The input 1 selection decisions for the o microprocessors 

are denoted as < 4 , 00 , d? n ,(k), ... , df n ,(k). These input selection error decisions for the a 

processors are fused to obtain the selected input error decision di„,(k). This error detection 
structure is implemented for the m input measurements to yiel the selected input error decisions 

din,(k), dm 2 (k), ... , d.njk). These decisions are then fused to obtain the global error decision for 

the correctness of the input selection process of the controller, d^OO- r , r-. 

The output selection error detection strategy is shown in Figure 8. The Kalman lUter 
estimates of the command calculations for each control loop from each processor are used by the 
monitor in the same output selection algorithm as that of the controller and a prediction of the 
selected parameter outputs are made. This algorithm corresponds to Lj(k) in equation Ob as 
shown in Figure 8, estimates of the calculated control command for loop j from the a processors, 

x’ (k) x3(k) x£,(k\ are used in the monitor’s command j output selection rule which is 

identical to that of the controller to obtain the reference selected value of the jth control command 

output, x Cj 0O These reference values are each compared with the measurement, of the 

controller’s selected command j output and a residual, r out/ k \ is formed. The residual 1S JJ1 a 
statistical decision rule to determine if a correct or faulty selection of output command j was made 

by the controller. The decision for the jth command loop is designated dout/k). These decisions 
are then fused into a global decision, <W k ), for the correctness of the output decision process of 

the cont ^ e e r rror decisions dm(k) and d< )Ut (k) for the input and output selection P™^ sses ’ . 
respectively, are then fused into a global redundancy management error decision d r (k) as shown m 
Figure 4. 

rnntmi Fffprtivf’iu’Ks Error Monitor. The strategy for monitoring the controller's command 
eS ve SSlbFigu.T9 The n controllaws are implemented analyncally and used to 
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generate a reference, Thii,^ k ) ^ j ^ ) j each command loop. These reference commands are used in 

analytical models of the actuators to generate a reference for the plant command variables, u j w, 

provided by the actuators. The commands, Youi/M output by the controller for each loop are used 
in a simulation of the actuators to generate what would be the actual plant command variables, 

Uj(k). a comparison is made between the measurement Ai/k) of these variables and the reference 

< (k) in the formation of the residuals r ^ k >- Statistical decisions, based on the residuals 

are made regarding the effectiveness of each control command output by the controller. These 

decisions are then fused into a global decision, d e (k), on the command effectiveness of the 
controller. 


The error decisions for the redundancy management process d^k), the control law 
calculations dc(k), and command effectiveness d c (k) are fused into the global upset decision d(k), 
as shown in Figure 4 In tests during which upset occurs and is signaled by the unity value of 

d(k), the redundancy management error decisions d' in (k) and ^°ui/ k ), the control calculation error 

decisions dc/k), and the control effectiveness error decisions dgj(k) are all stored in the monitor as 
a diagnostic aid for post-testing data analysis. 

Summary and Future Work 

The problem of verifying the integrity of flight-critical control computers in adverse, as 
well as nominal, operating environments becomes a key issue in the development and certification 
of control systems for advanced aircraft. A strategy for monitoring the control integrity of a critical 
digital controller has been presented. This strategy includes error decisions that can be stored 
during testing and used to aid in the diagnosis of functional error modes known as upset in the 
critical controller. The strategy uses Kalman filtering, analytical redundancy, data fusion, and 
statistical decision theory in the monitoring of control law calculations, the input/output selection 
process of redundant parameters, and the command effectiveness of the controller. With the 
formulation of the problem presented in this paper, subsequent steps can be taken in its solution 
such as the design of the algorithms for the individual monitoring processes in the strategy. In 
particular, statistical decision rules and data fusion algorithms must be designed. The design of 
Kalman filter gains that yield globally optimal results can be considered. In addition, an analysis 
of the design for detection sensitivity to changes in matrix parameter values must be conducted. 
Design tradeoffs to be considered include sensitivity and diagnostic capability versus complexity, 
reliable detection without false alarms, and sensitivity to erroneous parameter changes with 
robustness to modeling errors. These considerations are to be treated in subsequent papers. 
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Figure I: Basic Laboraiory Configuration for Upset Evaluation of Critical Controllers 



FAULT TOLERANT CONTROLLER 
Figure 2: Control System with Redundant Sensors and Microprocessors 


9 






















Fault 

Tolerant 

Controller 


zi(k) 

4,00 

zi.(k) 

^out,(k) 


4,00 

zj.(k) 


ZoUt:(k) 


Figure 3: Fault Tolerant Controller Measurements 

Upset Monitor for Critical Digital Controllers 

Inp.& Outp. 

(k) Redun.Mgi. 

clout (k) 

rtnut niitnnt I [ i nn Oi ,t"n I Decision 


Input & Output 


/ 

Inp.& Outp. 

Redundancy 


Redun.Mgt. 

Management 
Error Detection 

— ► 

Error Data 


Cntl.Calc. 

Error 


Control Calc 
Error Detection 



Decision 1 

Cntl.Calc. 

dc(k) 

— 1 

Error Data 

\ 

Fusion 

Cnti. Effect! — 1 


d,.(k) 


j 

Control Effect. ; 

Error Detection ^ 

A A 

Cnll. Effect. 
Error Data 
Fusion 


Error 

Decision 

de(k) 


Global 

Error 

Decision 

Fusion 


Upset 

Decision 

m 


Figure 4: Upset Detection Concept for Critical Digital Systems 


10 














Calculated Cmd.Calc. 



Figure 5: Strategy for Monitoring Control Law Integrity in Critical Controllers 


Mcas. of 
Cnid.Calc.j 
from |jPl 


Zefk)- 


fiPl Meas. 

^n(k) 


tiPI Cmd.j 
Estimate 


pPl Cnul.j 
Error 
Residuals 


\xP\ Cmd.j 
Error 
Decisions 


zi(k-I) 


jxP2 Mcas 
zi,(k) 


Kalman 

£,(k) 

Filler 

1 


Residual 

Generator 


rhk) 


Statistical 

dc(k 

' 

Decision 

Rule 

t 


jaPl 

Cmd.Calc. 

Err.Decis. 


dc(k) 



Zc/k)- 


Me;is. of 
Cmd. Calc. j 
from \xP2 

|iP2 Cmd.j 
Estimate 

Xc-(k) 


\xP2 Cmd.j 
Error 
Residuals 


|iP2 Cmd.j 
Error 
Decisions 


Zc(k- 1 ) 


Kalman 

Filter 



rc/k) 


dc/k) 

(lP2 

Dpri^ion 

Residual 

Statistical 

Decision 

Rule 

Generator 

* 


l^VVlO 1 V/il 

Fusion 


[iP2 

Cmd.Calc. 

Err.Decis. 

<£(k) 


Meas, of 


Cmd.Calc.j — . 

from pFri 1 1 


\xPc Meas 

z^(k) 


zP(k- 1 ) 


Kalman 

Filter 


fxPo Cmd.j 
Estimate 
CO/ 


uPa Cmd.j 
Error 
Residuals 


|iPo Cmd.j 
Error 
Decisions 


x ? ; (k) 


L*| 

Residual 

r?(k) 

1 


Generator 



Statistical 

Decision 

Rule 


<£(k) 

* tei 


jiPa 

Cmd.Calc. 

Err.Decis. 

pPa 

d?(k) 

Decision 


Fusion 



Control 

Calc. 

Error 

Decision 

Fusion 


Global 

Decis. 

on 

I Control 
Calc. 
Errors 

dc(k) 


Figure 6: Approach for Dynamic Control Command Calculation Error Monitoring 
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Figure 7: Approach tor Controller Input Selection Error Monitoring 
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Figure 8. Approach for Controller Output Selection Error Monitoring 
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Figure 9: Approach for Conlroller Command Effectiveness Error Monitoring 
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